Comment by dfox

8 hours ago

> Security? MUCH worse.

Comparing single-purpose declarative language that is not even really turing-complete with all the ugly hacks needed to make DOM/JS reasonably secure does not make any sense.

Exactly what you can abuse in XSLT (without non-standard extensions) in order to do anything security relevant? (DoS by infinite recursion or memory exhaustion does not count, you can do the same in JS...)

2 comments

dfox

dfabulich 5 hours ago

If you would RTFA, they're removing XSLT specifically for security reasons. They provide the following links:

https://www.offensivecon.org/speakers/2025/ivan-fratric.html

> Although XSLT in web browsers has been a known attack surface for some time, there are still plenty of bugs to be found in it, when viewing it through the lens of modern vulnerability discovery techniques. In this presentation, we will talk about how we found multiple vulnerabilities in XSLT implementations across all major web browsers. We will showcase vulnerabilities that remained undiscovered for 20+ years, difficult to fix bug classes with many variants as well as instances of less well-known bug classes that break memory safety in unexpected ways. We will show a working exploit against at least one web browser using these bugs.

https://nvd.nist.gov/vuln/detail/CVE-2025-7425

https://nvd.nist.gov/vuln/detail/CVE-2022-22834

(And, for the record, XSL is Turing-complete. It has xsl:variable, xsl:if, xsl:for-each, and xsl:apply-template function calls.)

exasperaited 6 hours ago

Are the security concerns not about libxslt, rather than XSLT?